date:20161012

Re: [c-nsp] Port-channel between Cisco 4948 and ASR 9k going err-disable

2016-10-12 Thread Tom Hill

On 12/10/16 18:06, David Wilkinson wrote:
> Should split horizon stop the loops when connecting downstream switches
> in a resilient configuration?

It can't when you've the ability to loop a broadcast frame around via
devices that aren't party to the split horizon forwarding. I'm not
certain this is really how VPLS was supposed to be used, in all honesty.

Your 4948s at each site /should not/ be able to broadcast between each
other; they ought to both go to a single PE. Anything between them then
relies on the PEs (and split horizon forwarding) for loop avoidance.

Assuming that you can't do that for some reason, then perhaps just
removing the LAG/STP misconfiguration protection (and sticking with
PVST) will solve your current woes.

I do, however, wonder if MST-AG might be safer for you in the long run:

https://supportforums.cisco.com/document/61401/asr9000xr-using-mst-ag-mst-access-gateway-mst-and-vpls

Mainly because the PEs would then know what's going on. It might provide
faster convergence across the VFI, too.

To add some further resilience, you could look at multi-homed VPLS (or
EVPN) which would involve MC-LAG from both local PEs towards each 4948.
You'd still use the same number of 10G links as you are now. Less, if
the 4948s aren't interconnected.

In general though, this is a lot of work that could be unpicked very
easily if just one of your customers creates a loop within their own
network, with effects very similar to those that you've experienced
running this topology without PVST. :)

--
Tom
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Port-channel between Cisco 4948 and ASR 9k going err-disable

2016-10-12 Thread David Wilkinson


On 12/10/2016 00:12, Tom Hill wrote:


I'm assuming you know what that device is that's claiming the root
bridge? That's probably a good clue.
The "new" root bridge mac is device which has always been the root for 
this VLAN, not of the other devices between these and the root logged a 
change.

Assuming PVST BPDUs are leaking across the VPLS instance, perhaps this
is (as Dragan alludes to) triggering the EtherChannel/STP
misconfiguration detection.

There's a good description here:

  
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/20625-127.html
"Both sent and received BPDUs are examined by the detection mechanism. 
An EtherChannel is considered inconsistent if the channel detects 
greater than 75 BPDUs from different MAC addresses in more than 30 
seconds. However, if 5 BPDUs are seen consecutively from the same MAC 
address, the detection counters are reset. These timers/counters can 
change in future software releases."


This might be it, It will be seeing BPDUs from different MAC addresses 
as there are multiple STP speaking switches connected the VPLS instances.




With the split horizon forwarding inherent to VPLS, do you need PVST (or
STP in general) to run across these links?
Without PVST running I end up with looping traffic, The traffic leaves 
the VPLS on ASR 1, goes to the 4948 devices, then comes back into the 
VPLS on ASR 2, which then gets forwarded back to ASR 1 and out to 4948.
Running PVST over the VPLS allowed the 4948 to put one of port-channels 
up to the an ASR into blocking and stopping the loop.


Take the following as an example, customer has a layer 2 service between 
sites. Should one of the ASRs or one links to the ASR fails traffic 
should flow via one of the other links.

The customer's VLAN from the 4948 goes in to a VPLS on the ASRs.

   Customer
  |
  |
4948 1  4948 2
|  |
|  |
ASR 1 -- ASR 2
|  |
|  |
4948 3  4948 4
|
|
Customer

If the BPDUs are not sent over the VPLS instance then it loops.

Should split horizon stop the loops when connecting downstream switches 
in a resilient configuration?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco Security Advisory: Cisco Meeting Server Client Authentication Bypass Vulnerability

2016-10-12 Thread Cisco Systems Product Security Incident Response Team

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Meeting Server Client Authentication Bypass Vulnerability

Advisory ID: cisco-sa-20161012-msc

Revision 1.0

For Public Release 2016 October 12 16:00  UTC (GMT)
Last Updated  2016 October 12 16:00  UTC (GMT)

+-

Summary
===

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP)
service of the Cisco Meeting Server (CMS) could allow an unauthenticated,
remote attacker to masquerade as a legitimate user. This vulnerability
is due to the XMPP service incorrectly processing a deprecated
authentication scheme. A successful exploit could allow an attacker to
access the system as another user.

Cisco has released software updates that address this vulnerability.
Workarounds that address this vulnerability in some environments are
available. 

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
-BEGIN PGP SIGNATURE-

iQIVAwUBV/5T1K89gD3EAJB5AQJXixAAya7sQ4U4yX6jUyZlGvudqvto/qHd4gj5
1KCqLAs6zo1xQ2FckY5ZcSRCmih3ePR3gn7MMa3hvyaPRrBqqIsStRcsbxgWKK4o
b3z82O3Ff/texUaVCGcPjOlW3Dyji0YNblq5WaNqoNyTDxHRsoF0q9ZfRCPQ7px7
ixH7sjlSnR7M5y8Xvx0ZHPrgD3dh0UFdBsywM8wWKAwMRMgnOK3R8TlbmvRNwEQu
JOjdiIjgiZ0f0mF4aqUNwSzkBbSBEZJ9PbHDWBfxcFnUu06Bja+wRIqIP+iaUFUB
RFZukZ19hPjbuIb3qeKOjpbvOBWdt6w+LGmaVLAvQGooFg3at/LhCfPjjKkPZxfy
E2kD2YjkI1iKbVU79qGmZZXydUp36Ec3uLQVKZJV0vYyg1Frrgh1NXBnQjjCJq1+
+yA3PB2REapoVF+GJ8S5Rce/xYuIh1BG5WMHDGtGKig01e34nvVKHaDVxUmvF/bu
Ldd3WyjJqd0hueeVeAMnogph4Yk9Q0g4WugNKex8gmiYnA6RVe/j6W8MUWLi2vb6
4wep9961nqk16hOeNhNGO9CU5NXNj2hPEMBwgcsA7RJDMLEQpuEmBpuBzxl17vya
vEdt/RQzKTho23POnsSpyucQ5TbXsiqtHxzN2lke9UH0zNKOLJXo+y0b/EElWSAC
AnmG++lEvcw=
=Y8pC
-END PGP SIGNATURE-
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN IPsec and NAT

2016-10-12 Thread Garrett Skjelstad

Post relevant sanitized phase2 configurations.

Mainly your ACLs.

On Oct 12, 2016 04:37, "Tseveendorj Ochirlantuu" 
wrote:

> Hello
>
> I'm new to site to site IPsec VPN and also ASA 5505 firewall.
>
> My site to site IPsec VPN tunnel established between SiteA to SiteB. And
> can ping IP behind firewall. Now I need to
>
> Site A is VPN one end
> Site B is VPN other end
> Site C is VPN other end
> IP1 is located outside of Site B.
>
>
> SiteA ---> SiteB
> > SiteC
> Site to Site VPN  Site to Site
> VPN
>
> Which means SiteB has two IPsec VPN config.
>
>
> Now I want to if Site A access to IP1 then it goes over VPN and Site B's
> firewall should NAT Site A's LAN IP to It's outside interface address (PAT
> overload) and reach to IP1.
>
>
> I'm trying to this but no success. I have log in firewall. I just sanitize
> IP address to above name
>
> %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence
> number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB
> Public IP".  The decapsulated inner packet doesn't match the negotiated
> policy in the SA.  The packet specifies its destination as "IP1", its
> source as "SiteA Local IP", and its protocol as 6.  The SA specifies its
> local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA
> Local subnet" /0/0.
>
> What is the problem ? Thank you.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7609 local vlan significance

2016-10-12 Thread James Bensley

On 12 October 2016 at 15:38, Nick Cutting  wrote:
> I thought the same - which IOS devices have you seen it on -
>
> I have seen it on XE (ASR/CSR/44xx), but not on a fully licensed Sup2T, so 
> can't imagine it's on a 7600?

I saw it on some 7200s, I was looking to move services to a 7600, so I
opened a TAC case because the documentation was a bit scarce,
discussed it with TAC (I wanted to clarify behaviour with out CFC
cards, DFCs, different line card models etc), they said it should work
fine. Lobbed the config on a 7600 in the lab (it took the config) but
I never got to test it, an ASR9K went in to the DC so the design
changed and that wasn't needed anymore.

Initially I wrote the config in GNS3 and it worked (so IOS):
https://null.53bits.co.uk/index.php?page=vasi-inter-vpn-routing

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7609 local vlan significance

2016-10-12 Thread Nick Cutting

I thought the same - which IOS devices have you seen it on - 

I have seen it on XE (ASR/CSR/44xx), but not on a fully licensed Sup2T, so 
can't imagine it's on a 7600?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James 
Bensley
Sent: Wednesday, October 12, 2016 4:35 AM
To: Cisco Network Service Providers 
Subject: Re: [c-nsp] 7609 local vlan significance

On 12 October 2016 at 02:19, Tony  wrote:
> VASI is only on IOS-XE is it not ?

No its on IOS, XE and XR.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] AAA-3-BADLIST

2016-10-12 Thread A . L . M . Buxey

Hi,
> Hello,
> 
> I m getting the following on one of our production routers.
> 
> %AAA-3-BADLIST: invalid list AAA ID 4190791 -Process= "SSH Process"

Error Message%AAA-3-BADLIST: invalid list AAA ID %u 
ExplanationAn AAA client has provided an invalid attribute list to AAA.

Recommended ActionCopy the message exactly as it appears on the console or 
in the system log. Research and attempt to resolve the issue using the tools 
and utilities provided at http://www.cisco.com/tac. With some messages, these 
tools and utilities will supply clarifying information. Search for resolved 
software issues using the Bug Toolkit at 
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still 
require assistance, open a case with the Technical Assistance Center via the 
Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your 
Cisco technical support representative and provide the representative with the 
information that you have gathered. Attach the following information to your 
case in nonzipped, plain-text (.txt) format: the output of the show logging and 
show tech-support commands and your pertinent troubleshooting logs.



you could turn on some debugging on aaa

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] AAA-3-BADLIST

2016-10-12 Thread Righa Shake

Hello,

I m getting the following on one of our production routers.

%AAA-3-BADLIST: invalid list AAA ID 4190791 -Process= "SSH Process"


Regards,
Righa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VPN IPsec and NAT

2016-10-12 Thread Tseveendorj Ochirlantuu

Hello

I'm new to site to site IPsec VPN and also ASA 5505 firewall.

My site to site IPsec VPN tunnel established between SiteA to SiteB. And
can ping IP behind firewall. Now I need to

Site A is VPN one end
Site B is VPN other end
Site C is VPN other end
IP1 is located outside of Site B.


SiteA ---> SiteB
> SiteC
Site to Site VPN  Site to Site
VPN

Which means SiteB has two IPsec VPN config.


Now I want to if Site A access to IP1 then it goes over VPN and Site B's
firewall should NAT Site A's LAN IP to It's outside interface address (PAT
overload) and reach to IP1.


I'm trying to this but no success. I have log in firewall. I just sanitize
IP address to above name

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence
number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB
Public IP".  The decapsulated inner packet doesn't match the negotiated
policy in the SA.  The packet specifies its destination as "IP1", its
source as "SiteA Local IP", and its protocol as 6.  The SA specifies its
local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA
Local subnet" /0/0.

What is the problem ? Thank you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7609 local vlan significance

2016-10-12 Thread James Bensley

On 12 October 2016 at 02:19, Tony  wrote:
> VASI is only on IOS-XE is it not ?

No its on IOS, XE and XR.


Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Port-channel between Cisco 4948 and ASR 9k going err-disable

Re: [c-nsp] Port-channel between Cisco 4948 and ASR 9k going err-disable

[c-nsp] Cisco Security Advisory: Cisco Meeting Server Client Authentication Bypass Vulnerability

Re: [c-nsp] VPN IPsec and NAT

Re: [c-nsp] 7609 local vlan significance

Re: [c-nsp] 7609 local vlan significance

Re: [c-nsp] AAA-3-BADLIST

[c-nsp] AAA-3-BADLIST

[c-nsp] VPN IPsec and NAT

Re: [c-nsp] 7609 local vlan significance

10 matches

Site Navigation

Mail list logo

Footer information